I'm Nelson. I work at AWS by day, and build production infrastructure by night.

My path to DevOps wasn't planned. I graduated in Dublin with a Computer Science degree focused on web development and cloud computing, then joined AWS as a Technical Customer Service Associate. That role put me on the front lines of customer infrastructure problems. I spent my days digging through CloudTrail logs, debugging IAM permission boundaries, and helping people figure out why their ECS tasks weren't starting or why their costs suddenly doubled. You learn fast when every ticket is someone else's production issue.

But there's a gap between understanding AWS services and actually building with them. Early on I was mostly a frontend developer. I could build interfaces, but I had no idea how to deploy them properly. Which CI/CD tool should I use? How do I structure environments? What's the right trade-off between shipping fast and not going broke on AWS bills? I didn't have a team to ask, so I figured it out myself.

The turning point was deciding to build my own portfolio as real infrastructure, not just a frontend project. I wrote the CI/CD pipelines in GitHub Actions with OIDC auth (no static credentials), defined everything as code in AWS CDK TypeScript, containerised the app with Docker and deployed it on ECS. That grew into a 6-stack architecture separated by operational domain, with SSM-based service discovery, container hardening (non-root, dropped capabilities, tini), and a multi-tier WAF. I passed the AWS DevOps Engineer Professional exam along the way, which validated a lot of what I'd been learning the hard way.

More recently, I built a self-hosted observability platform from scratch: Prometheus, Grafana, Loki, and Tempo running as a 7-container Docker Compose stack on EC2. It has DNS-based service discovery, OpenTelemetry trace ingestion, and a full CI/CD pipeline with policy-as-code scanning, drift detection, smoke tests, and automated rollback if anything fails. At work, I also handle security incidents involving compromised IAM keys, which means I spend a fair amount of time in CloudTrail, coordinating credential rotations and debugging trust relationships.

The articles I write here come from problems I've actually hit. Not theory, not course material. If I write about CDK stack separation or container security or CloudFront cache policies, it's because I dealt with the broken version first and had to fix it. I hope they save someone else a few hours of debugging.